Understanding the NIST Cybersecurity Framework

September 01, 2022
Hand walks on a cyber path using its fingers. Digital illustration.

Today’s threat landscape, where cyberattacks have become business-ending events, necessitates steps to protect your organization or clients irrespective of size. One of the best ways to do this is by implementing the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF).

The NIST CSF is a highly recommended security baseline backed by governments and industries across the world. The NIST CSF risk management guidelines are comprehensive, and you need not be an expert to understand them. This blog will help you understand exactly what the framework is, how it is designed and how to properly comply with it.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is a set of guidelines and best practices used to build and enhance cybersecurity posture.

What is NIST CSF used for?

Organizations and businesses of all sizes can use NIST CSF Framework guidelines, standards and best practices to assess, manage and reduce their cybersecurity risks.

What is the latest NIST CSF version?

The NIST CSF version 1.0 was introduced in 2014 as intended for use by critical infrastructure sectors in the United States, such as utilities, healthcare and manufacturing. However, given its ease of use, the framework is now leveraged by various industries across the world, in countries like Japan, Israel and Germany.

The NIST CSF 1.1, published in 2018, is the latest version of the framework. NIST is currently working on a significant update to these guidelines. The CSF 2.0 will go through a series of public deliberations before the final guidelines are published in late 2023 or early 2024.

What are the main components of the NIST CSF?

The NIST CSF framework is made up of three primary components The Framework Core, Framework Implementation Tiers and Framework Profiles.

Framework Core       

The Framework Core helps organizations address their cybersecurity risks while complementing their existing cybersecurity and risk management methodologies. It enables clear communication of cybersecurity activities and outcomes from the operational level to the senior executive level.

The Framework Core includes four elements:

  1. Functions An organization’s cybersecurity efforts are broken down into five high-level functions.
  2. Categories Each function is further broken into categories that cover the cybersecurity objectives of an organization.
  3. Subcategories The categories are further split into subcategories that create or improve the cybersecurity of an organization.
  4. Informative resources The informative resources are guidelines and practices that illustrate a method to achieve the outcomes associated with each subcategory.

Framework Implementation Tiers    

Framework Implementation Tiers (1 to 4) give an overview of how effectively an organization has implemented a cybersecurity framework. Organizations with an informal and reactionary approach to cybersecurity risk management come under Tier 1 and those under Tier 4, the highest level, represent an aware and risk-informed organization.

 The tiers take into consideration three main components:

  1. Risk management processes The methods organizations use to manage cybersecurity risk.
  2. Integrated risk management programs The strategy adopted by organizations to inform decision-making.
  3. External participation An organization’s awareness of the broader business ecosystem.

Framework Profiles   

Framework Profiles assist organizations in developing a roadmap for reducing cybersecurity risk. It’s a tool for organizations to enhance cybersecurity along with NIST CSF Framework Core functions.

What are the five functions of the NIST CSF Framework Core?

The NIST CSF Framework Core has five functions   Identify, Protect, Detect, Respond and Recover.

Identify

The Identify function helps an organization understand and manage cybersecurity risk to its assets, systems, people, data and capabilities. An organization can prioritize its efforts according to its business needs and risk matrix by evaluating the business context, resources and cybersecurity risks.

There are five categories within this function:

  1. Asset management
  2. Business environment
  3. Governance
  4. Risk assessment
  5. Risk management strategy

Protect

The Protect function implements necessary safeguards that ensure business continuity in the event of a cyberattack. To comply with this step, an organization must evaluate its current cybersecurity policies to access its strengths and weaknesses. Under the Protect function, six safeguard categories are designed to mitigate the impact of a cyberattack:

  1. Access control
  2. Awareness and training
  3. Data security
  4. Information protection processes and procedures
  5. Maintenance
  6. Protective technology

Detect

A cyberattack is inevitable. However, organizations that perform timely network assessment and vulnerability management scans can reduce theimpact. This NIST CSF function ensures timely discovery of a cybersecurity event. Implementing the three Detect function protocols enables organizations to detect cybersecurity events quickly and take speedy measures. They are:

  1. Anomalies and events
  2. Security continuous monitoring
  3. Detection processes

Respond

The Respond function defines the actions to be initiated in the event of a breach. Response planning often depends on an organization’s strategy and goals. To implement a successful response plan, an organization must first create a detailed response plan and test its effectiveness against a worst-case scenario. The Respond function comprises five components:

  1. Response planning
  2. Communications
  3. Analysis
  4. Mitigation
  5. Improvements

Recover

After alleviating the impact of a breach, organizations must focus on resuming normal operations at the earliest. The Recover function focuses on restoring the capabilities and services that may have been affected in the aftermath of a breach. It does so by recovering lost data, restoring affected capacities and ensuring everything is working as intended. By implementing the three Recover function steps, organizations can successfully resume normal business. The three functions are:

  1. Recovery planning
  2. Improvements
  3. Communication

What are the four NIST CSF Framework Implementation Tiers?

NIST CSF Implementation Tiers are benchmarking tools that provide clear direction to help improve your cybersecurity. The four tiers partial, risk-informed, repeatable and adaptive provide context to the stakeholders to assess an organization’s cybersecurity posture. 

Each tier comprises three cybersecurity risk processes risk management process, integrated risk management program and external participation.

Tier 1: Partial

Businesses with no cyber maturity fall under Tier 1 since they have failed to prioritize cybersecurity settings appropriately. For companies with less staff, budget or time, Tier 1 is a great starting point.

  • Risk management process The business does not have cybersecurity risk management practices in place. In its absence, the risk is managed in an ad hoc and reactive manner.
  • Integrated risk management program These businesses implement cybersecurity risk management on an irregular or case-by-case basis.
  • External participation  The business does not collaborate with other entities to stay updated with the best practices.

Tier 2: Risk-Informed

Businesses that understand risks and have implemented few compliance requirements fall under Tier 2. These businesses are aware of their cybersecurity needs but have yet to take proactive measures.

  • Risk management process  These businesses have risk management policies but haven’t implemented them thoroughly.
  • Integrated risk management program  They are aware of the cybersecurity risks but haven’t implemented an organization-wide policy to manage the cybersecurity risks.
  • External participation The business has some understanding of the cyber supply chain risks and may even collaborate or receive information from other entities. However, it still needs to proactively implement the best practices.

Tier 3: Repeatable

Businesses in Tier 3 have risk management and cybersecurity policies in place and are more prepared against threats. Businesses in Tier 3 spend more time updating their cybersecurity practices.

  • Risk management process These businesses have a formally approved risk management policy and regularly update their risk management processes in line with the business requirements or changing technology and threat landscape.

  • Integrated risk management program  These businesses have successfully implemented risk-informed policies, processes and procedures across their organization. The employees also are trained consistently to stay up to date with the evolving risks and threats.

  • External participation  The business is aware of its role, dependencies and dependents in the broader ecosystem and proactively contributes to the community’s understanding of risks. It actively collaborates and shares information with its peers.

Tier 4: Adaptive

Businesses in Tier 4 will utilize advanced adaptive cybersecurity practices. They proactively analyze behaviors or events to help protect from or adapt to threats before they happen.

  • Risk management process  Adaptive businesses proactively take measures to counter the evolving threat and technology landscape. They incorporate the lessons learned from previous and current cybersecurity security to build a strong cybersecurity posture that can withstand even sophisticated threats.
  • Integrated risk management program  These businesses have made cybersecurity risk management a part of their organizational culture. The senior-level management monitor cybersecurity risk in the same context as financial risk and makes budgeting decisions taking previous, current and potential risk environment into account.
  • External participation  These businesses proactively contribute to the broader ecosystem by sharing information internally and externally. They continuously analyze and stay updated with the evolving threat and technology landscape.

What are NIST CSF Framework Profiles?

NIST CSF Framework Profiles or Profiles help businesses identify, prioritize and address their cybersecurity requirements by determining their organizational goals, risk tolerance, available resources and potential risks.

A business or an organization must document its Current Profile that depicts its present security situation. After building a Current Profile, an organization can develop a Target Profile, which represents its desired state. Finally, a gap analysis will help prioritize the plan to build the organization’s Target Profile.

Here is how Framework Profiles are built and used:

  • The first step is to create a profile that clearly defines the Mission Objectives of the business or organization.
  • Next, an organization needs to review each Subcategory from the NIST CSF Framework Core to determine its relevance to each Mission Objective.
  • If a Subcategory is relevant, an analysis determines whether the desired outcomes are achievable and, if so, using which controls.

What is NIST compliance?

Complying with the requirements of one or more of the NIST standards is considered NIST compliance. There are several NIST standards and the most popular is the NIST Cybersecurity Framework (CSF). There are other standards such as NIST 800-171 and NIST 800-53 that deal with unclassified information. 

Who has to comply with NIST?

Federal agencies, contractors and subcontractors working with the federal government must comply with NIST.

Why is NIST compliance important?

Even though complying with NIST standards is not mandatory for everyone, all businesses should consider adapting the NIST CSF Framework best practices or guidelines. NIST compliance is important because:

Manage NIST compliance with Compliance Manager GRC

Simplify the NIST compliance process for your clients or your organization with our leading compliance solution — Compliance Manager GRC.

With Compliance Manager GRC as your “go-to” compliance solution, you can easily:

  • Stay up to date with the changing rules and ensure your organization remains compliant.
  • Perform rapid NIST CSF baseline assessments or deep dive technical assessments.
  • Track your security measures against the NIST Cybersecurity Framework while managing compliance with all your IT requirements.
  • And much more.

Request a demo today and see for it yourself.